Cloned device detection

ABSTRACT

Detection of cloned devices, such as but not necessarily limited to facilitating detection of cloned cable modems or other endpoints in a network used to gain access to network resources is contemplated. The clone device detection may include a server operating according to publish-subscribe (Pub-Sub) or messaging queue (MQ) facilitating detection cloned devices across disparate, system operators.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. provisional application no.62/558,931 filed Sep. 15, 2017, the disclosure of which is incorporatedin its entirety by reference herein.

TECHNICAL FIELD

The present invention relates to detecting cloned devices, such as butnot necessarily limited to facilitating detection of cloned cablemodems, access points or other endpoints in a network used to gainaccess to network resources.

BACKGROUND

The Cable industry is one of many industries suffering from an inabilityto sufficiently detect cloned devices, modems, etc. The problem is evenworst when trying to address the issue across multiple serviceproviders/operators having millions of already deployed devices. TheCable industry has deployed, in the past years, strong devicecredentials (X509 device certificates) into cable modems to ensure theauthenticity of the device and compliance to the standards, however,because of JTAG ports present (and active) on cable modem devices, it isquite easy to clone legit modems. One non-limiting aspect of the presentinvention contemplates inter-operator cooperation for cloned devicedetection addressing this problem without requiring significant changesin deployed devices or large infrastructure investment.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a system for cloned device detection in accordancewith one non-limiting aspect of the present invention.

DETAILED DESCRIPTION

As required, detailed embodiments of the present invention are disclosedherein; however, it is to be understood that the disclosed embodimentsare merely exemplary of the invention that may be embodied in variousand alternative forms. The figures are not necessarily to scale; somefeatures may be exaggerated or minimized to show details of particularcomponents. Therefore, specific structural and functional detailsdisclosed herein are not to be interpreted as limiting, but merely as arepresentative basis for teaching one skilled in the art to variouslyemploy the present invention.

FIG. 1 illustrates a system for cloned device detection in accordancewith one non-limiting aspect of the present invention. APublisher-Subscriber (or Pub-Sub) server may be used to interconnect viathe Internet or other suitable network where all endpoints (in the Cableindustry case—the CMTS) or access points to services associated withdifferent service providers. The endpoints may subscribe and publish tothe same “channel” such that when a new device (cable modem) goesonline, such as part of an authentication process or other exchangeundertaken to permit access to services, an information exchange, i.e.,the resulting authentication information, can be shared via the serverbetween the CMTSs. The server and/or the CMTSs then verify theconnection (after the connection is successful) and send a message inthe queue carrying (but not limited to) the identifiers for theconnecting device (e.g., the MAC address of the modem or the HASH of thedevice certificate) and the reporting entity identifiers (the CMTS). AllCMTSs connected to the channel will receive the message and will thencheck if the same device is connected to them. If that is the case, theidentified device can either be reported as connecting from distinctlocations and/or it can be is disconnected so that only one of thedevices will be allowed on the network.

The present invention combines the use of an MQ system (also referred asa Pub-Sub system) with strong device identifiers. In particular, theprocess starts when a device requests a connection to the localinfrastructure end-point (e.g., the CMTS). After the device has beenverified as authentic, the OSS/BSS component (which is connected to theMQ system) publishes the information about the new device in the MQ: themessage carries the identifiers of the device together with someadministrative information (e.g., geo-location, port, etc.). Thisinformation is then shared across all entity subscribed to the system'squeue(s). Messages are then processed and used for different purposeslike (a) detect cloned devices coming online, (b) generate statisticsabout how cloned devices are actually used, (c) populate a database ofdevices activities that can be used for infrastructure and customerssupport, (d) allow the automatic disconnection of all instances ofcloned devices (except the last logged in), and (e) share theinformation about devices across different operators.

The present invention envisions the deployment of a lightweight Pub-Subsystem instead of requiring the deployment of databases that might bedifficult to share with other parties (e.g., other operators)—thisresults in a “standardized” approach to the problem especially whenconsidering the complexity of reliably sharing the data across multipleoperators (therefore solving the modem cloning issue also acrossoperators). The use of a Pub-Sub system to detect (and share)information about duplicate devices going online at the same time viathe use of secure (and obfuscated) identifiers (e.g., certificates'hashes or “authenticated” MAC addresses—i.e., MAC addresses retrievedfrom the device's certificate) may be particularly beneficial.

The Cable industry has deployed, in the past years, strong devicecredentials (X509 device certificates) into Cable modems to ensure theauthenticity of the device and compliance to the standards, yet it isquite easy to clone legit modems. The possibility to clone modems anddeploy them in different locations is causing some issues to the Cableoperators in terms of activities (usually illegal) performed with thesecloned devices, stolen service (circumvent bandwidth caps or associatingthe traffic to a different customer), or just sheer amount of dataserved through these devices (>1 Pb a month). The present inventioncontemplates Combines the efficiency of delivering “multicast”-typemessages via a Publisher-Subscriber (or Pub-Sub) system with theavailability of strong device credentials (e.g., Digital Certificates,Private Keys, or Secret Keys) that are used to enable the detection ofcloned devices. A Pub-Sub system may be used in this manner to detectduplicate devices going online at the same time via the use ofcertificates' hashes or “authenticated” MAC addresses (i.e., MACaddresses retrieved from the device's certificate).

The invention envisions the deployment of a Pub-Sub system where all theendpoints (in the Cable industry case—the CMTS) subscribe and publish tothe same “channel”—when a message is sent by a CMTS to the channel, allother subscribers will receive the same message. Connection to thePub-Sub system must be protected against unlawful access (via strongcredentials like digital certificates or strong passwords) andeavesdropping (via the use of TLSv1.2+). When a new device (cable modem)goes online, the CMTS that verifies the connection (after the connectionis successful) sends a message to a Pub-Sub system queue. The messagecarries, in its payload, the identifiers for the connecting device(e.g., the MAC address of the modem or the HASH of the devicecertificate) and the reporting entity ones (the CMTS' identity,location, and/or connected port). In case CMTSs are provided withverifiable credentials (e.g., Digital Certificates), messages might beauthenticated (signed). This information is to be sufficientlyobfuscated to address the operator's privacy concerns. The format of themessage is TBD.

All connected CMTS will receive the message and will then check if thesame device is connected to them or not. If that is the case, theidentified device can either be reported as connecting from distinctlocations and/or it can be disconnected (so that only one of the cloneddevices will be allowed on the network at any given time). The issue ofdetecting cloned devices is not specific to a single cable-company, butit cuts across the entire market and geographical areas. Because ofthis, some form of interoperability across operators is required (whenand if operators are willing to deploy a shared system) to solve theissue on a global scale. In particular, our system addresses thisproblem by envisioning the use of exchange nodes where differentoperators can run bidirectional gateways to route CMTSs messages amongdifferent operators' networks.

Some aspects of this invention include: (a) its ease of deployment viaexisting services and software (i.e., there are open-source and freeimplementations of Pub-Sub systems currently used in the industry likeRabbitMQ or IBM's MQ) and (b) the low costs of deployment (back-endoriented and software only solution), (c) does not require any hardwarechanges on the network side or on the client side, and (d) the systemcan be deployed according to the operator's resources and schedule (doesnot require large investment upfront). Because of the flexibility of thesystem, operators can deploy the system first in selected areas anddrive pilot programs for the deployment and the interoperability acrossoperators and then expand on it as needed. It is important to noticethat this approach works in mixed environments (i.e., DOCSIS 2.0+)without requiring support from device vendors. The deployment andadoption of this system is important as there is no other solution todaythat allows cross-operator capabilities. The system provides thepossibility for building a “live” database of the connected devices andtheir locations by simply recording all events in a centralized database(in this case the listening node acts as a one-way gateway for dataflowing from the Pub-Sub infrastructure to the centralized database).This would provide the possibility for analyzing the status of thesystem in real-time and for correlated events. The mechanism describedhere is not specific (as formulated today) to the Cable industry but canpotentially be adopted in other ecosystems that present similarcharacteristics (i.e., device identifiers+backend trustrelationships+cloned devices problem).

While exemplary embodiments are described above, it is not intended thatthese embodiments describe all possible forms of the invention. Rather,the words used in the specification are words of description rather thanlimitation, and it is understood that various changes may be madewithout departing from the spirit and scope of the invention.Additionally, the features of various implementing embodiments may becombined to form further embodiments of the invention.

What is claimed is:
 1. A method for determining a cable modem to becloned or non-cloned, the method comprising: subscribing to a channel ofa publish-subscribe (Pub-Sub) server, the Pub-Sub server using thechannel to report authentication information for a plurality of cablemodem termination systems (CMTSs), the authentication informationidentifying other cable modems authenticated with a corresponding one ofthe plurality of CMTSs; determining the cable modem to be non-clonedwhen authentication information associated therewith fails to match withauthentication information reported over the channel; and determiningthe cable modem to be cloned when authentication information associatedtherewith matches with authentication information reported over thechannel.
 2. The method of claim 1 further comprising determining thecable modem to be cloned when a media access control (MAC) address ofthe cable modem matches with another MAC address reported over thechannel.
 3. The method of claim 1 further comprising determining thecable modem to be cloned when a hash of a X.509 certificate associatedof the cable modem matches with another hash of another X.509certificate reported over the channel.
 4. The method of claim 1 furthercomprising determining the cable modem to be cloned when theauthentication information associated therewith matches withauthentication information reported over the channel from anotherservice provider.
 5. The method of claim 1 further comprisingdetermining the cable modem to be cloned in response to receiving acloned message from the Pub-Sub server.
 6. The method of claim 5 furthercomprising determining the cable modem to be cloned when attempting toconnect to a first CMTS of the plurality of CMTSs while another cablemodem having matching authentication information is authenticated to asecond CMTS of the plurality of CMTSs.
 7. The method of claim 6 furthercomprising the Pub-Sub server transmitting the cloned message to thefirst CMTS in response to receiving a matched message from the secondCMTS.
 8. The method of claim 7 further comprising the second CMTStransmitting the matched message in response to determiningauthentication information associated with the cable modem and reportedover the channel matching with authentication information of the anothercable modem.
 9. The method of claim 6 further comprising the Pub-Subserver transmitting the cloned message in response to determiningauthentication information received from the second CMTS matching withauthentication information received from the first CMTS for the cablemodem.
 10. The method of claim 1 further comprising preventingauthentication of the cable modem when determined to be cloned.
 11. Themethod of claim 1 further comprising determining the cable modem to becloned when attempting to connect to a first CMTS of the plurality ofCMTSs while another cable modem having matching authenticationinformation is authenticated to a second CMTS of the plurality of CMTSs.12. The method of claim 11 further comprising determining the cablemodem to be cloned without requiring the first CMTS to be aware of theanother cable modem having matching authentication information.
 13. Themethod of claim 11 further comprising determining the cable modem to becloned without requiring the first CMTS to communicate with the secondCMTS.
 14. The method of claim 11 further comprising determining thecable modem to be cloned without requiring the first CMTS to store orotherwise have a priori knowledge of the matching authenticationinformation of the another cable modem associated with the second CMTS.15. The method of claim 1 further comprising the Pub-Sub serverreporting the authentication information in real-time andcontemporaneously to receipt from the plurality of CMTSs.
 16. The methodof claim 1 further comprising the Pub-Sub server reporting theauthentication information in a reporting message periodicallytransmitted over the channel.
 17. The method of claim 16 furthercomprising the reporting message identifying the authenticationinformation for each of the cable modems associated with the pluralityof CMTSs.
 18. A method for determining a device to be cloned ornon-cloned, the method comprising: reporting over a channel of apublish-subscribe (Pub-Sub) server authentication information for aplurality of endpoints, the authentication information uniquelyidentifying other devices authenticated to access services through oneor more of the endpoints; determining the device to be non-cloned whenauthentication information associated therewith fails to match withauthentication information reported over the channel; and determiningthe cable modem to be cloned when authentication information associatedtherewith matches with authentication information reported over thechannel.
 19. The method of claim 18 further comprising determining thedevice to be cloned when attempting to connect to a first endpoint ofthe plurality of endpoints when one of the other devices having matchingauthentication information is connected to a second endpoint of theplurality of endpoints, the second endpoint being associated with adifferent service provider than the first endpoint, the first endpointdetermining the matching authentication information from authenticationinformation reported thereto over the channel.
 20. A method fordetermining a cable modem to be cloned or non-cloned, the methodcomprising: receiving authentication information from a plurality ofcable modem termination systems (CMTSs) associated with two or moreservice providers, the authentication information identifying othercable modems having completed an authentication sufficient to accessservices through one of the plurality of CMTSs; reporting theauthentication information over a channel subscribed to by the pluralityof CMTSs in a manner sufficient for one or more of the plurality ofCMTSs to determine: i) the cable modem to be non-cloned whenauthentication information associated therewith fails to match withauthentication information reported over the channel; and ii) the cablemodem to be cloned when authentication information associated therewithmatches with authentication information reported over the channel.